Skip to content
  1. Sep 08, 2013
    • Dr. Stephen Henson's avatar
      Experimental encrypt-then-mac support. · 5e3ff62c
      Dr. Stephen Henson authored
      Experimental support for encrypt then mac from
      draft-gutmann-tls-encrypt-then-mac-02.txt
      
      To enable it set the appropriate extension number (0x10 for the test server)
      using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10
      
      For non-compliant peers (i.e. just about everything) this should have no
      effect.
      5e3ff62c
  2. Sep 06, 2013
    • Scott Deboy's avatar
      Add callbacks supporting generation and retrieval of supplemental data... · 36086186
      Scott Deboy authored
      Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
      Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
      Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
      Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
      36086186
  3. Sep 05, 2013
  4. Jul 17, 2013
    • Dr. Stephen Henson's avatar
      EVP support for wrapping algorithms. · 97cf1f6c
      Dr. Stephen Henson authored
      Add support for key wrap algorithms via EVP interface.
      
      Generalise AES wrap algorithm and add to modes, making existing
      AES wrap algorithm a special case.
      
      Move test code to evptests.txt
      97cf1f6c
  5. Jul 04, 2013
  6. Jun 21, 2013
  7. Jun 12, 2013
  8. Apr 09, 2013
    • Dr. Stephen Henson's avatar
      Dual DTLS version methods. · c6913eeb
      Dr. Stephen Henson authored
      Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
      pick the highest version the peer supports during negotiation.
      
      As with SSL/TLS options can change this behaviour specifically
      SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
      c6913eeb
  9. Dec 19, 2012
  10. Dec 11, 2012
  11. Dec 07, 2012
  12. Dec 06, 2012
  13. Dec 05, 2012
  14. Dec 04, 2012
  15. Dec 02, 2012
  16. Nov 28, 2012
  17. Nov 27, 2012
  18. Nov 22, 2012
  19. Nov 19, 2012
  20. Nov 18, 2012
    • Dr. Stephen Henson's avatar
      PR: 2909 · d88926f1
      Dr. Stephen Henson authored
      Contributed by: Florian Weimer <fweimer@redhat.com>
      
      Fixes to X509 hostname and email address checking. Wildcard matching support.
      New test program and manual page.
      d88926f1
  21. Nov 16, 2012
  22. Oct 08, 2012
  23. Sep 19, 2012
  24. Sep 14, 2012
  25. Sep 12, 2012
  26. Sep 11, 2012
  27. Aug 29, 2012
  28. Aug 15, 2012
  29. Aug 03, 2012
  30. Jul 27, 2012
  31. Jul 24, 2012
  32. Jul 23, 2012
    • Dr. Stephen Henson's avatar
      Add support for certificate stores in CERT structure. This makes it · 74ecfab4
      Dr. Stephen Henson authored
      possible to have different stores per SSL structure or one store in
      the parent SSL_CTX. Include distint stores for certificate chain
      verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
      to build and store a certificate chain in CERT structure: returing
      an error if the chain cannot be built: this will allow applications
      to test if a chain is correctly configured.
      
      Note: if the CERT based stores are not set then the parent SSL_CTX
      store is used to retain compatibility with existing behaviour.
      74ecfab4
  33. Jul 18, 2012
  34. Jul 08, 2012
    • Dr. Stephen Henson's avatar
      Add new ctrl to retrieve client certificate types, print out · 9f27b1ee
      Dr. Stephen Henson authored
      details in s_client.
      
      Also add ctrl to set client certificate types. If not used sensible values
      will be included based on supported signature algorithms: for example if
      we don't include any DSA signing algorithms the DSA certificate type is
      omitted.
      
      Fix restriction in old code where certificate types would be truncated
      if it exceeded TLS_CT_NUMBER.
      9f27b1ee
  35. Jul 03, 2012
  36. Jun 29, 2012
    • Dr. Stephen Henson's avatar
      Add certificate callback. If set this is called whenever a certificate · 18d71588
      Dr. Stephen Henson authored
      is required by client or server. An application can decide which
      certificate chain to present based on arbitrary criteria: for example
      supported signature algorithms. Add very simple example to s_server.
      This fixes many of the problems and restrictions of the existing client
      certificate callback: for example you can now clear existing certificates
      and specify the whole chain.
      18d71588